Add Data and Risk Intelligence to Your ServiceNow VRM TPRM Program

4 minute read

March 2023

CyberGRX is proud to announce the launch of our ServiceNow VRM integration, designed to provide trusted risk data on your vendors to help reduce assessment chasing and spreadsheet management. With a CyberGRX license and a ServiceNow VRM account, you can quickly audit your portfolio, discover unknown insights, manage risk, and implement a remediation workflow to drive your third-party cyber risk management program decisions through data. 

See how the integration works:

Audit Your Portfolio With the World’s Largest Third-Party Cyber Risk Exchange 

As the number of vendors in a portfolio grows yearly, requesting and managing assessments for an entire portfolio becomes increasingly challenging. Once you’ve synced your portfolio, the CyberGRX-ServiceNow VRM Integration allows you to tap into the world’s largest third-party cyber risk Exchange with over 13,000 attested assessments, including those from the top 85% of vendors. 

An attested CyberGRX assessment is detailed and focuses on every key customer and vendor relationship aspect. Suppose a vendor has a completed assessment in the Exchange. In that case, you can confidently reduce the need to request an assessment from them so your team can concentrate on the questionable vendors in your portfolio.

Answer Simple Questions to Discover Insights Into Your Portfolio Risk

One of the key values of the CyberGRX-ServiceNow VRM integration is access to our impact questions that allow you to understand the inherent risk of your portfolio and vendors with critical insights that will help you decide on the next steps. Our eight impact questions focus on key areas to understand how you do business with your vendor. We evaluate your vendor’s interaction, level of access, or criticality regarding the following:

  • Business Process
  • People
  • Digital Identities (credentials)
  • Application
  • Data
  • Devices
  • Networks
  • Facilities

Your answers regarding your relationship with the vendor correlate with our assessments and provide a foundation to determine the inherent risk your vendors pose to you. The results from the impact questions allow you to understand which vendors will have a higher impact on your business so you can prioritize and focus on them:

  • Likelihood Score – Represents the probability of targeted attacks for this vendor.
  • Impact Score – Measures the potential harm to your business if the vendor is breached.

The Likelihood and Impact Scores are represented in a range between 0-200 to provide a high, medium, and low-risk determination.

Analyze Data to Manage Risk 

With insights uncovered, it’s time to analyze the data to help you make informed decisions and develop a concise risk strategy. As the results are mapped to our assessments, we can now gain context for the blindspots in your portfolio and determine which vendors do not meet your security and risk standards. 

To determine who requires further investigation, we look at the following elements:

  • Maturity Scores – Gauges a company’s ability to sustain positive cyber practices. Low maturity may implement adequate security controls but is unlikely to be sustainable and not backed by institutional planning or standardization. High maturity tends to be ineffective at implementing good security controls due to poor execution or accountability. 
  • Controls Coverage – Measures how many controls were answered positively at the group and family levels. A considerable disagreement between Maturity Scores and Controls Coverage could indicate potential concerns.
  • Gap Findings – Discover your vendor’s unmet controls or places you have gaps. 
  • CyberGRX Risk Report – Downloadable PDF of your assessment results detailing the gapped controls, view of the vendor’s scores for security control coverage, and maturity.

Now with an understanding of each vendor’s risk and specific controls that need to be addressed, the CyberGRX-ServiceNow VRM integration allows for prioritizing your vendors accurately so you can make informed decisions that will directly influence your mitigation workflow.

Actionable Mitigation Workflow With Confident Decisions

The insights and reports from the integration can help you understand which vendors do not meet your security or risk standards and identify the precise security controls that the vendor did not meet. You can import these issues into ServiceNow to be remediated, mitigated, or accepted. 

While requesting and managing assessments of your vendors is routine when it comes to cyber risk management, operating in the dark without insights can lead to exhausting budgets and resources. With the added value of the CyberGRX-ServiceNow VRM integration, your TPRM program can get a jump start by reducing the number of vendors needing to be assessed, thanks to our Exchange data. Leverage our impact questions to learn more about the risk your vendors pose, and utilize our reports to understand the gaps in your program to prioritize the riskiest vendors effectively. 

To get started with your CyberGRX-ServiceNow VRM integration, you must be a customer of both ServiceNow and CyberGRX. If you are not a CyberGRX customer already, we invite you to book a demo now.

About the author: Ahmed Siddiqui is a Sr. Product Marketing Manager at CyberGRX and loves everything about the platform, from how it’s built to discovering unique ways it can help solve customers’ daily problems. He is passionate about helping others and providing a fun environment. When he’s not cooking up a product-focused blog, he enjoys spending time in the kitchen.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit